My Road to Digital Forensics Excellence

The Time and Attendance Investigation

Posted by Paul Bobby on June 17, 2009

One of the more common Ethics related cases I am tasked with is that of the Time and Attendance allegation. It has been alleged that Bob comes in late, takes 2 hours for lunch, and leaves early. The reporting party has indicated that this activity is ongoing, and started about a month ago. The Ethics officer has turned to me requesting any data from the employees’ computer that supports the allegation.

Let’s take a look at the Event Logs….but confine ourselves to Windows XP for now.

The event logs can contain as much or as little as policy dictates. Individual applications typically log application level status to the Application event log, the OS to the System event log, and the security model to the Security event log. Local Security Policy governs how much data is recorded to the Security event log.

Several of my colleagues have expressed disappointment with the event logging system on XP – to the point that they discount it totally as a reliable source for Time and Attendance data. I believe this is unfounded – the Security Policy has only to be configured with 4 options to produce enough data to support this allegation. What follows is a series of scenarios conducted against a Windows XP SP2 image running under VMWare. This Windows XP SP2 image was configured with the following security policy:

Local Security Policy
The following scenarios were executed using the credentials of a Local Account:

  1. Local Account Login – Successful
  2. Local Account Login – Unsuccessful
  3. Local Account Logoff
  4. Idle until system lock
  5. Unlock the screensaver – Successful
  6. Manual System Lock
  7. Remote Login – No account logged in yet
  8. Remote Login – Account already logged in
  9. Remote Login – User initiated logoff
  10. Remote Login – Get control back at the console
  11. User initiated shutdown
  12. User initiated Standby mode
  13. Return from Standby mode

I will follow up this article with the details of my testing. The tests should be repeated using Network Credentials with a connected Domain Controller and Cached Network Credentials.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: